A researcher analyzed a fake Ledger device purchased through a major online marketplace at the price of an original and found an unauthorized chip inside with its markings erased, along with a wireless module not present in any official model.
The firmware stored the PIN code and seed phrases in plain text. It also contained links to remote command-and-control servers.
The device mimicked a Ledger at the identifier level, but during boot it revealed itself as an Espressif-based product. When connected to the official Ledger Live, the Genuine Check immediately flagged it as counterfeit — prompting the owner to open the device and investigate further.
A Scheme Targeting New Users
Inside the box was a card with a QR code leading to a clone of ledger.com. From there, the user downloads a fake Ledger Live app — available for Android, iOS, Windows, or macOS. The app simulates a successful authenticity check; the user creates a wallet, writes down the seed phrase, and the data is sent directly to the attackers’ servers.
The Android version goes further: it tracks balances via public keys, requests geolocation access, and continues running in the background even after being closed. The wireless modules inside the device were not used in the attack — the key vector was phishing through the application itself.
Linked Infrastructure
The investigation revealed a unified network of multiple domains and servers registered through a single provider. Sales were conducted via a shell company created specifically for marketplace distribution. Individual cases of fake Ledger devices had been reported before, but this case shows a fully developed supply chain with centralized control.
Blockchain investigator ZachXBT previously reported that a fake Ledger Live app on the App Store drained more than 50 users’ wallets in one week, with funds moving through over 150 KuCoin addresses linked to a service called AudiA6. Earlier, a similar app on the same App Store collected $9.5M from users.
The attack does not exploit vulnerabilities in Ledger itself: the Genuine Check reliably detects counterfeits. The risk arises when users purchase devices outside official channels and install applications via QR codes included in the box.